Skip to main content

Two-factor authentication

Griffin requires two-factor authentication (2FA) every time you log in or make a payment. You must authenticate using a passkey stored on a security device of your choice.

How it works

We use a web standard protocol called WebAuthn to generate a private passkey, which is stored on your chosen security device. This is paired with a public key that is stored on our servers and associated with your account. Both pieces of the pair are needed to generate the authentication token that allows you to log in.

When you create a new Griffin account you will be prompted to register a passkey, which will be stored on your chosen device.

When you log in to your Griffin account, you will need to authenticate yourself using your registered passkey.

What devices can I use?

The table below shows the devices you may use to register and store a passkey, and the system requirements for using it with your Griffin account.

DevicePasskey device requirementsLaptop/computer requirements
Physical security deviceMust be FIDO2 compatible (we recommend YubiKeys)None
Apple deviceMust have iOS 16 or laterMust have bluetooth
Android deviceMust have Android 9.0 or later, and have screen lock enabledMust have bluetooth

Regardless of the device you use, your operating system and browser combination must be compatible with roaming authenticators.

Registering a passkey on your security device


Right now, we only support one security device per account and you will need it every time you want to log in or make a payment - so please choose a trusted device that you will always have on hand!

Click Register device to get started.

Clicking "Register device" brings up a pop-up from WebAuthn.

In the WebAuthn pop-up, select your preferred option and follow the instructions. If you choose a phone or tablet, you will need to scan the QR code.


WebAuthn might look a bit different depending on your browser and OS (this example uses a MacBook with Google Chrome). If the pop-up only gives you one option when adding a device, you may need to click Use a different device (or Cancel on Windows) to see the option to use your phone or tablet.

When you click "Use a phone or tablet", a QR code will be displayed.

You don’t need a special authenticator app to scan the QR code - just open your device’s camera and point it at the screen. You'll be prompted to store your passkey in your device’s password manager (iCloud Keychain in this example).

When you open your device's camera and scan the QR code, you will be prompted to save the passkey to your device.

Using your passkey to log in and make payments

Every time you log in to Griffin, you will need to have your security device on hand so you can authenticate using your passkey. Similarly, whenever you send a payment, clicking Confirm and send will prompt you to authenticate using your passkey.

When prompted, select the device type where your passkey is stored and follow the instructions. If you are using a phone, you will need to scan the QR code.

Next time you log in, a pop up will prompt you to scan a QR code using your registered phone or tablet.

Lost or stolen devices

If the device where you store your passkey is lost or stolen, you should contact us immediately at so that we can remove the passkey from your account.


For security purposes, we need approval from another admin in your organisation before we deactivate a passkey.

Once your passkey has been removed, you will be prompted to register a new one the next time you log in. You will not be able to log in to your Griffin account until you’ve registered a new passkey.